EFS-encrypted File Backup

MSP360 Managed Backup supports EFS-encrypted file backup and restore 'as is', i.e. in an encrypted state.

EFS-encrypted file backup is supported in the new backup format only

This chapter covers the following topics:

Upgrade Backup Agent to Version 7.6

The 'Keep EFS encryption' feature is supported in Backup Agent 7.6 for Windows or later versions

To back up EFS-encrypted files 'as is', upgrade Backup Agent instances. Read about Backup Agent upgrading in the Backup Agent Update chapter.

If you upgrade Backup Agent for Windows to version 7.6 and you have already configured file backup plans in the new format with EFS-encrypted files backed up decrypted, you do not have to change anything: the new version works with the same settings and EFS-encrypted files will be backed up as decrypted like before.

| Top |

Enable the 'Keep EFS encryption'

In Management Console

  1. Open the Management Console.
  2. In the Computers menu, select Remote Management.
  3. Find the required computer and make sure the Backup Agent version installed is 7.6 or later.
  4. Click the gear icon, then select Show Plans.
  5. Edit the existing plan or create a new one.
  6. Follow the backup wizard to the Advanced Options step.
  7. Select the Kepp EFS encryption option.

  1. Finish the backup wizard to save the backup plan configuration.

In Backup Agent

First, make sure the Backup Agent version is not earlier than 7.6. If it is, upgrade the Backup Agent.

  1. Figure out what EFS-encrypted content you have. If it is an existing backup plan, click Edit, otherwise create a new file backup plan in the new backup format.
  2. Follow the backup wizard. On the Advanced Options step, select the Keep EFS encryption option, then confirm your selection.
  3. Finish the backup wizard to save the backup plan configuration.

It is highly recommended to read the How To Access EFS-encrypted Files On Other Locations article on the Knowledge Base portal to figure out some security measures of accessing EFS-encrypted files on other locations

If your backup plan contains backup sources located on network shares, read the Backing Up Remote EFS-Encrypted Files paragraph

  1. Finish the backup wizard to save the backup plan configuration.

| Top |

Backing Up Local EFS-Encrypted Files

If you selected the Keep EFS encryption option, make sure the Backup service is running under the account granted with enough permissions to back up local EFS-encrypted files.

The Local System account is used as the default Backup service account and granted enough permissions to back up EFS-encrypted files. If for some reason you use another account, include it in the Backup Operators group. Read more about this group in the Backup Operators paragraph of the Active Directory Security Groups chapter at docs.microsoft.com.

To continue backup plans that contain local EFS-encrypted files, a full backup must be executed

EFS-encrypted files are backed up encrypted and are restored encrypted. In case the backup plan is continued with incremental backups (without a full backup), local EFS-encrypted files are backed up/restored as decrypted.

If the account the Backup service runs under the account without sufficient permissions to access EFS-encrypted files, these files will be skipped and the appropriate warning is displayed.

| Top |

Backing Up Remote EFS-Encrypted Files

Note that remote EFS-encrypted file backup is supported for locations with NTFS file systems and domain members

In case you selected the Keep EFS encryption option, be careful with permissions in order to back up EFS-encrypted files located on network-shared devices: there are some important peculiarities.

By default, the Backup service runs under the Local System account. To back up remote EFS-encrypted files on shared network resources, the computer Backup for Windows installed must be added to Backup Operators group on all computers the network shares included in the backup plan are located.

If permissions are sufficient, EFS-encrypted files will be backed up encrypted. In case you continue generation (running incremental backups) created in previous versions of Backup for Windows, EFS-encrypted files on network shares will be backed up/restored as decrypted.

To include the required computer in the Backup Operators group, proceed as follows:

  1. On a computer the network share included in the backup plan is located, run Computer Management. To do this, open the Command Prompt and run it as administrator.
  2. Type compmgmt.msc, then press Enter.
  3. In the left frame, expand the System Tools.
  4. Expand the Local Users and Groups, then select Groups.
  5. Double-click Backup Operators.
  6. Click Add....
  7. In the Select Users, Computers, Service Accounts, or Groups dialog box, click Object Types....
  8. Select Computers.
  9. In the Enter object names to select field, specify the computer name.
  10. Click OK.
  11. On a computer with Backup for Windows, restart the Backup service: right-click in the tray with the Backup service status (to the bottom), then select Stop Service. Wait a few seconds, then right-click again and select Start Service.

If the Backup service is running under an account other than Local System, this account must be included in the Backup Operators group along with the computer where the Backup for Windows is installed

If the service account the Backup service is running under the account without sufficient permissions to access EFS-encrypted files, these files will be skipped and an appropriate warning will be reported.

| Top |

Security Measures

Note that if you back up EFS-encrypted files 'as is' (encrypted), you will need some tools to access these files if they are ever restored to some other location.

Mind to secure yourself from unpleasant situations in case you have the 'Keep EFS encryption' option enabled and need to access the EFS-encrypted files restored to some other computer. Before you run the backup plan, perform one of the following actions:

  • In case you have one or a few EFS-encrypted files. Export the encryption certificate with a private key from the source computer and add them to the backup plan. You will need them to access the EFS-encrypted files
  • In case you have a large number of EFS-encrypted files. Configure the Key Archival in Certificate Authority and create and configure Key Recovery Agent using domain or local group policies. Self-signed certificates will be disabled and key recovery agent certificates will be used instead

Read more How To Access EFS-encrypted Files On Other Locations article in the MSP360 Knowledge Base

| Top |